The following example policy chain will detect if new SageMaker Notebooks are internet-facing
(public) or unencrypted (not using KMS) at launch and then tag, stop, and delete the notebook
and email the customer and cloud custodian admin. SageMaker Notebooks cannot be deleted unless they
are in a Stopped status and they cannot be stopped until they are in a InService status which
is why this needs a chain of policies that will trigger in order using tags and scheduled Lambda
runs.

policies:-name:sagemaker-notebook-auto-tag-userresource:sagemaker-notebookdescription:|When a new Sagemaker notebook is created tag the creators ID to CreatorName tagmode:type:cloudtrailevents:-source:sagemaker.amazonaws.comevent:CreateNotebookInstanceids:"responseElements.notebookInstanceArn"actions:-type:auto-tag-usertag:CreatorName-name:sagemaker-notebook-tag-non-compliantresource:sagemaker-notebookdescription:|When a new Sagemaker Notebook is created that is public or not encryptedit will get tagged for stopping and then deletionmode:type:cloudtrailevents:-source:sagemaker.amazonaws.comevent:CreateNotebookInstanceids:"responseElements.notebookInstanceArn"filters:-or:-"DirectInternetAccess":"Enabled"-"KmsKeyId":absentactions:-type:tagkey:NonCompliantTagvalue:"TRUE"-name:sagemaker-notebook-stop-non-compliantresource:sagemaker-notebookdescription:|If a SageMaker Notebook is tagged with NonCompliantTag then it gets stopped and taggedwith NonCompliantTagStopped for deletionmode:type:periodicschedule:"rate(5minutes)"timeout:45filters:-"tag:NonCompliantTag":"TRUE"-"NotebookInstanceStatus":"InService"actions:-type:tagkey:NonCompliantTagStoppedvalue:"TRUE"-stop-name:sagemaker-notebook-delete-non-compliantresource:sagemaker-notebookdescription:|When a new Sagemaker notebook is tagged as non-compliant and in a stopped state, delete itmode:type:periodicschedule:"rate(5minutes)"timeout:45filters:-"tag:NonCompliantTagStopped":"TRUE"-"NotebookInstanceStatus":"Stopped"actions:-delete-type:notifytemplate:default.htmlpriority_header:1subject:SageMaker Notebook - Deleted! - [custodian {{ account }} - {{ region }}]violation_desc:|Public facing (Non-VPC) OR Non-Encrypted Sagemaker Notebooks Are Prohibited!All Notebooks Must Be in VPC mode and encrypted!action_desc:|Actions Taken: Your SageMaker Notebook Instance has been deleted due to being non-compliant. Please create a newSageMaker notebook in VPC mode with KMS encryption enabled.to:-CloudCustodian@Company.com-resource-ownertransport:type:sqsqueue:https://sqs.us-east-1.amazonaws.com/123456789123/cloud-custodian-mailerregion:us-east-1